Social engineering is one of the most powerful tools in the hacker's arsenal and it generally plays a part in most of the major security breaches we hear about today. However, there is a common misconception around the role social engineering plays in attacks.
One such misconception is that social engineering is a technique only used in advanced attacks against specific organisations. We picture something out of a James Bond film: hackers collecting bits and details about a specific company, its structure and its employees, aggregating all the digital traces that employees leave around the cyber universe and then using this information to create an irresistible email that one or more of the employees will fall prey to, providing the attacker with the magic key.
The reality however is far less glamorous, much more mundane and a lot scarier.
A recent blog entry we posted illustrates that most cyber-crime activity is rooted in immense infection campaigns that rely on mass scale social engineering. The very basic elements of human behaviour combined with the law of numbers means that enough people will click to make the campaign worthwhile.
The blog provided examples of such emails and techniques for creating them. With some careful distribution (e.g. choosing addresses like firstname.lastname@example.org, email@example.com) these campaigns become even more effective with smaller distribution lists, with the added bonus of making them more difficult to detect as spam. While many of those would infect personal devices, some enterprise machines will also be affected, giving attackers a foothold into many organisations which they can further exploit with persistent attacks.
Below are some examples of recent messages I recently picked from my own mailbox:
The first example is an email I received from a law firm I had previously worked with. While normal people wouldn't go as far as checking the message header to verify that the message was actually sent from the mailbox of someone working at the said company, I did. The message was in fact sent from the email address of a lawyer working at the firm. However, notice that the recipients list is somewhat bulky and includes every contact in the lawyer's contact list
This apparently “socially engineered” email was really the result of two automation tools – one which infects people indiscriminately (to which the specific lawyer fell prey) and another that goes through victim's contact lists, sending further phishing emails. I am sure that other clients and attorneys on that list fell for the scam, especially if they were waiting for documents from that law firm.
The second example is even better. It came in from a travel agency in Brazil with which I had just booked a trip (via email exchange). It is a small agency and I was expecting them to send me further information about the trip. I would love to think I was special enough for someone to have tracked me down, found out that I was planning a trip with this company and took advantage of this opportunity to compose the message especially for me.
Spy fantasies aside, in reality, a computer inside the agency was already infected with a trojan that once in a while goes through the list of recently sent emails, grabs the recipients' addresses and sends them this standard message. In this instance, messages are not sent through the account of the agency but from a separate account, using a simple technique we pointed out in our blog entry for impersonating the sender's address. Undoubtedly, many people would fall for this.
While it is possible for hackers to target specific organisations or individuals using social engineering, this is not cost effective. Intelligence agencies could potentially use this technique to penetrate specific locations, but only if everything else fails.
The bottom line is that social engineering is used for almost every attack against individuals. However, this is usually large-scale social engineering, appealing to our most basic characteristics as human beings and taking advantage of the law of large numbers. Some victims would have their corporate computers infected as a result of this attack, providing the attackers with further access into corporate networks and business data.
Contributed by Amichai Shulman, CTO, Imperva